On SonarCloud, consumers of webhooks should verify that the received payloads are initiated by SonarCloud and not by hackers. This check is currently handled by rejecting the IPs that are not in the documented white-list.
This approach works well but is complex:
- requires infrastructure changes on user side (firewall)
- the list of IPs is a constraint for operating the web servers and compute engines that send webhooks. It's more or less hardcoded and changes are hard to apply.
- it's not the mechanism recommended by services like Github (doc) or paymentsos (doc)
On SonarQube checking origin of webhooks makes sense too.
Consumers should compute the signature of the received payload and compare it with the value of the response HTTP header X-Sonar-Webhook-HMAC-SHA256. A shared secret is defined on the organisation settings and is used to compute the signature.
- Deprecate the list of public IPs by adding a warning to the documentation. The list of public IPs will be removed from documentation on 1st of June 2019
- Add the optional parameter secret to POST api/webhooks/create and POST api/webhooks/update.
- Return the secret in GET api/webhooks/list
- If secret is set, add the header X-Sonar-Webhook-HMAC-SHA256 to the HTTP request
- Add the secret field to the administration console. Note that Github console does not display the secret value by default, even if value is accessible in the HTML code. It requires to click on the button "Edit" (see attached screenshot).
- Complete documentation. The Java code that validates the received signature looks like: